songining

1. process & remote 

- process : ์ต์Šคํ”Œ๋กœ์ž‡์„ ๋กœ์ปฌ ๋ฐ”์ด๋„ˆ๋ฆฌ๋ฅผ ๋Œ€์ƒ์œผ๋กœ ํ•  ๋•Œ ์‚ฌ์šฉํ•˜๋Š” ํ•จ์ˆ˜ (ํ…Œ์ŠคํŠธ & ๋””๋ฒ„๊น… ์šฉ)

- remote : ์›๊ฒฉ ์„œ๋ฒ„๋ฅผ ๋Œ€์ƒ์œผ๋กœ ํ•  ๋•Œ ์‚ฌ์šฉ (์„œ๋ฒ„๋ฅผ ์‹ค์ œ ๊ณต๊ฒฉํ•˜๊ธฐ ์œ„ํ•จ) 

from pwn import *
p = process('./test') #๋กœ์ปฌ ๋ฐ”์ด๋„ˆ๋ฆฌ 'test'๋ฅผ ๋Œ€์ƒ์œผ๋กœ ์ต์Šคํ”Œ๋กœ์ž‡ ์ˆ˜ํ–‰
p = remote('example.com',31337) #'example.com'์˜ 31337 ํฌํŠธ์—์„œ ์‹คํ–‰ ์ค‘์ธ ํ”„๋กœ์„ธ์Šค๋ฅผ ๋Œ€์ƒ์œผ๋กœ ์ต์Šคํ”Œ๋กœ์ž‡ ์ˆ˜ํ–‰

2. send 

- send : ๋ฐ์ดํ„ฐ๋ฅผ ํ”„๋กœ์„ธ์Šค์— ์ „์†กํ•˜๊ธฐ์œ„ํ•ด ์‚ฌ์šฉ 

from pwn import *
p = process('./test')
p.send('A') # ./test์— 'A'๋ฅผ ์ž…๋ ฅ
p.sendline('A') # ./test์— 'A'+'\n'์„ ์ž…๋ ฅ
p.sendafter('hello','A') # ./test๊ฐ€ 'hello'๋ฅผ ์ถœ๋ ฅํ•˜๋ฉด, 'A'๋ฅผ ์ž…๋ ฅ
p.sendlineafter('hello','A') # ./test๊ฐ€ 'hello'๋ฅผ ์ถœ๋ ฅํ•˜๋ฉด, 'A' + '\n'์„ ์ž…๋ ฅ

3. recv

- recv : ํ”„๋กœ์„ธ์Šค์—์„œ ๋ฐ์ดํ„ฐ๋ฅผ ๋ฐ›๊ธฐ ์œ„ํ•ด ์‚ฌ์šฉ 

from pwn import *
p = process('./test')
data = p.recv(1024) #p๊ฐ€ ์ถœ๋ ฅํ•˜๋Š” ๋ฐ์ดํ„ฐ๋ฅผ ์ตœ๋Œ€ 1024๋ฐ”์ดํŠธ๊นŒ์ง€ ๋ฐ›์•„์„œ data์— ์ €์žฅ
data = p.recvline() #p๊ฐ€ ์ถœ๋ ฅํ•˜๋Š” ๋ฐ์ดํ„ฐ๋ฅผ ๊ฐœํ–‰๋ฌธ์ž๋ฅผ ๋งŒ๋‚  ๋•Œ๊นŒ์ง€ ๋ฐ›์•„์„œ data์— ์ €์žฅ
data = p.recvn(5) #p๊ฐ€ ์ถœ๋ ฅํ•˜๋Š” ๋ฐ์ดํ„ฐ๋ฅผ 5๋ฐ”์ดํŠธ๋งŒ ๋ฐ›์•„์„œ data์— ์ €์žฅ
data = p.recvuntil('hello') #p๊ฐ€ ์ถœ๋ ฅํ•˜๋Š” ๋ฐ์ดํ„ฐ๋ฅผ 'hello'๊ฐ€ ์ถœ๋ ฅ๋  ๋•Œ๊นŒ์ง€ ๋ฐ›์•„์„œ data์— ์ €์žฅ
data = p.recvall() #p๊ฐ€ ์ถœ๋ ฅํ•˜๋Š” ๋ฐ์ดํ„ฐ๋ฅผ ํ”„๋กœ์„ธ์Šค๊ฐ€ ์ข…๋ฃŒ๋  ๋ฐ›์•„์„œ data์— ์ €์žฅ

4. packing & unpacking 

16์ง„์ˆ˜ 2๊ฐœ๋‹น 1byte(8bit)

๋ฆฌํ‹€์—”๋””์•ˆ์œผ๋กœ ๋ฐฐ์—ด ์ถœ๋ ฅ ์›ํ•˜๊ฑฐ๋‚˜(u) ๊ทธ ๋ฐ˜๋Œ€(p)์ผ ๋•Œ ์‚ฌ์šฉ! 

u32 : 4byte 

u64 : 8byte 

ex)

Print u64(“ABCDEFGH”)
5208208757389214273 // ์ด์™€ ๊ฐ™์ด ์ •์ˆ˜๋กœ ๋ณ€ํ™˜๋จ

// ์ด๊ฑธ hex ๋กœ ๋ณ€๊ฒฝํ•˜๋ฉด 0x4142434445464748 (๋ฆฌํ‹€์—”๋””์•ˆ)
#!/usr/bin/python3
#Name: pup.py
from pwn import *
s32 = 0x41424344
s64 = 0x4142434445464748
print(p32(s32))
print(p64(s64))
s32 = "ABCD"
s64 = "ABCDEFGH"
print(hex(u32(s32)))
print(hex(u64(s64)))
$ python3 pup.py
b'DCBA'
b'HGFEDCBA'
0x44434241
0x4847464544434241

5. interactive 

์ต์Šคํ”Œ๋กœ์ž‡์˜ ํŠน์ • ์ƒํ™ฉ์— ์ง์ ‘ ์ž…๋ ฅ์„ ์ฃผ๋ฉด์„œ ์ถœ๋ ฅ์„ ํ™•์ธํ•˜๊ณ  ์‹ถ์„ ๋•Œ ์‚ฌ์šฉํ•˜๋Š” ํ•จ์ˆ˜

from pwn import *
p = process('./test')
p.interactive()

6. ELF

ELF ํ—ค๋”์—๋Š” ์ต์Šคํ”Œ๋กœ์ž‡์— ํ™œ์šฉ๋  ์ˆ˜ ์žˆ๋Š” ๊ฐ์ข… ์ •๋ณด๊ฐ€ ๊ธฐ๋ก๋˜์–ด์žˆ์Œ 

pwntools๋ฅผ ์ด์šฉํ•ด ํ•ด๋‹น ์ •๋ณด ์‰ฝ๊ฒŒ ์ฐธ์กฐ ๊ฐ€๋Šฅ 

from pwn import *
e= ELF('./test')
puts_plt = e.plt['puts'] # ./test์—์„œ puts()์˜ PLT์ฃผ์†Œ๋ฅผ ์ฐพ์•„์„œ puts_plt์— ์ €์žฅ
read_got = e.got['read'] # ./test์—์„œ read()์˜ GOT์ฃผ์†Œ๋ฅผ ์ฐพ์•„์„œ read_got์— ์ €์žฅ
get_shell = elf.symbols["get_shell"] #get_shellํ•จ์ˆ˜์˜ ๋ฒ ์ด์Šค ์ฃผ์†Œ์™€ offset ์ €์žฅ

7. context.log 

์ต์Šคํ”Œ๋กœ์ž‡์— ๋ฒ„๊ทธ๊ฐ€ ๋ฐœ์ƒํ–ˆ์„ ๊ฒฝ์šฐ ์ต์Šคํ”Œ๋กœ์ž‡๋„ ๋””๋ฒ„๊น…์ด ํ•„์š”

pwntools์˜ ๋กœ๊น… ๊ธฐ๋Šฅ์„ ์ด์šฉ

from pwn import *
context.log_level = 'error' # ์—๋Ÿฌ๋งŒ ์ถœ๋ ฅ
context.log_level = 'debug' # ๋Œ€์ƒ ํ”„๋กœ์„ธ์Šค์™€ ์ต์Šคํ”Œ๋กœ์ž‡๊ฐ„์— ์˜ค๊ฐ€๋Š” ๋ชจ๋“  ๋ฐ์ดํ„ฐ๋ฅผ ํ™”๋ฉด์— ์ถœ๋ ฅ
context.log_level = 'info'  # ๋น„๊ต์  ์ค‘์š”ํ•œ ์ •๋ณด๋“ค๋งŒ ์ถœ๋ ฅ

8. context.arch

pwntools๋Š” ์…ธ์ฝ”๋“œ๋ฅผ ์ƒ์„ฑํ•˜๊ฑฐ๋‚˜, ์ฝ”๋“œ๋ฅผ ์–ด์…ˆ๋ธ”, ๋””์Šค์–ด์…ˆ๋ธ”ํ•˜๋Š” ๊ธฐ๋Šฅ ๋“ฑ์„ ๊ฐ€์ง€๊ณ  ์žˆ๋Š”๋ฐ, ์ด๋“ค์€ ๊ณต๊ฒฉ ๋Œ€์ƒ์˜ ์•„ํ‚คํ…์ฒ˜์— ์˜ํ–ฅ์„ ๋ฐ›์Œ

๊ทธ๋ž˜์„œ pwntools๋Š” ์•„ํ‚คํ…์ฒ˜ ์ •๋ณด๋ฅผ ํ”„๋กœ๊ทธ๋ž˜๋จธ๊ฐ€ ์ง€์ •ํ•  ์ˆ˜ ์žˆ๊ฒŒ ํ•˜๋ฉฐ, ์ด ๊ฐ’์— ๋”ฐ๋ผ ๋ช‡๋ช‡ ํ•จ์ˆ˜๋“ค์˜ ๋™์ž‘์ด ๋‹ฌ๋ผ์ง 

from pwn import *
context.arch = "amd64" # x86-64 ์•„ํ‚คํ…์ฒ˜
context.arch = "i386"  # x86 ์•„ํ‚คํ…์ฒ˜
context.arch = "arm"   # arm ์•„ํ‚คํ…์ฒ˜

9. shellcraft 

pwntools์—๋Š” ์ž์ฃผ ์‚ฌ์šฉ๋˜๋Š” ์…ธ ์ฝ”๋“œ๋“ค์ด ์ €์žฅ

#!/usr/bin/python3
#Name: shellcraft.py
from pwn import *
context.arch = 'amd64' # ๋Œ€์ƒ ์•„ํ‚คํ…์ฒ˜ x86-64
code = shellcraft.sh() # ์…ธ์„ ์‹คํ–‰ํ•˜๋Š” ์…ธ ์ฝ”๋“œ 
print(code)
$ python3 shellcraft.py
    /* execve(path='/bin///sh', argv=['sh'], envp=0) */
    /* push b'/bin///sh\x00' */
    push 0x68
    mov rax, 0x732f2f2f6e69622f
    ...
    syscall

10. asm 

์–ด์…ˆ๋ธ” ๊ธฐ๋Šฅ ์ œ๊ณต

ํ•ด๋‹น ๊ธฐ๋Šฅ๋„ ์•„ํ‚คํ…์ฒ˜๊ฐ€ ์ค‘์š”ํ•˜๊ธฐ ๋•Œ๋ฌธ์— ์•„ํ‚คํ…์ฒ˜๋ฅผ ๋ฏธ๋ฆฌ ์ง€์ • 

#!/usr/bin/python3
#Name: asm.py
from pwn import *
context.arch = 'amd64' # ์ต์Šคํ”Œ๋กœ์ž‡ ๋Œ€์ƒ ์•„ํ‚คํ…์ฒ˜ 'x86-64'
code = shellcraft.sh() # ์…ธ์„ ์‹คํ–‰ํ•˜๋Š” ์…ธ ์ฝ”๋“œ
code = asm(code)       # ์…ธ ์ฝ”๋“œ๋ฅผ ๊ธฐ๊ณ„์–ด๋กœ ์–ด์…ˆ๋ธ”
print(code)
$ python3 asm.py
b'jhH\xb8/bin///sPH\x89\xe7hri\x01\x01\x814$\x01\x01\x01\x011\xf6Vj\x08^H\x01\xe6VH\x89\xe61\xd2j;X\x0f\x05'

 

11. ELF

binary = ELF("./ํŒŒ์ผ")

puts_plt = binary.plt['puts']

puts_got = binary.got['puts']

 

[์ถœ์ฒ˜]

dreamhack ์‚ฌ์ดํŠธ